425 lines
30 KiB
HTML
425 lines
30 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="task" />
|
|||
|
<meta name="DC.Title" content="Create and join a new remote domain" />
|
|||
|
<meta name="abstract" content="This information explains how to create a new Enterprise Identity Mapping (EIM) domain for your enterprise and to configure a remote directory server to be the EIM domain controller for the new domain." />
|
|||
|
<meta name="description" content="This information explains how to create a new Enterprise Identity Mapping (EIM) domain for your enterprise and to configure a remote directory server to be the EIM domain controller for the new domain." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzalvcnfg.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="rzalvcnfgconfigwiz3" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Create and join a new remote domain</title>
|
|||
|
</head>
|
|||
|
<body id="rzalvcnfgconfigwiz3"><a name="rzalvcnfgconfigwiz3"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Create and join a new remote domain</h1>
|
|||
|
<div><p>This information explains how to create a new Enterprise Identity
|
|||
|
Mapping (EIM) domain for your enterprise and to configure a remote directory
|
|||
|
server to be the EIM domain controller for the new domain.</p>
|
|||
|
<div class="section"><div class="p">When you use the EIM Configuration wizard to create and join a
|
|||
|
new domain, you can choose to configure a directory server on a remote system
|
|||
|
to act as the EIM domain controller as part of creating your EIM configuration.
|
|||
|
You must specify the appropriate information for connecting to the remote
|
|||
|
directory server to allow you to configure EIM. If Kerberos is not currently
|
|||
|
configured on the iSeries™ server, the wizard prompts you to start the
|
|||
|
Network Authentication Service Configuration wizard.<div class="note"><span class="notetitle">Note:</span> The directory server
|
|||
|
on the remote system must provide EIM support. EIM requires that the domain
|
|||
|
controller be hosted by a directory server that supports Lightweight Directory
|
|||
|
Access Protocol (LDAP) Version 3. Additionally, the directory server product
|
|||
|
must have the EIM schema configured. For example, the IBM<sup>®</sup> Directory Server V5.1 provides this
|
|||
|
support. For more detailed information about EIM domain controller requirements,
|
|||
|
see <a href="rzalv_plan_controller.htm#rzalv_plan_controller">Plan
|
|||
|
an EIM domain controller</a>.</div>
|
|||
|
</div>
|
|||
|
<div class="p">When you complete the EIM Configuration
|
|||
|
wizard, you can accomplish these tasks: <ul><li>Create a new EIM domain.</li>
|
|||
|
<li>Configure a remote directory server to act as the EIM domain controller.</li>
|
|||
|
<li>Configure network authentication service for the system.</li>
|
|||
|
<li>Create EIM registry definitions for the local i5/OS™ registry and the Kerberos registry.</li>
|
|||
|
<li>Configure the system to participate in the new EIM domain.</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<p>To configure your system to create and join a new EIM domain,
|
|||
|
you must have all the following special authorities: </p>
|
|||
|
<ul><li>Security administrator (*SECADM).</li>
|
|||
|
<li>All object (*ALLOBJ). </li>
|
|||
|
<li>System configuration (*IOSYSCFG). </li>
|
|||
|
</ul>
|
|||
|
<p>To use the EIM Configuration wizard to create and join a domain on
|
|||
|
a remote system, complete these steps:</p>
|
|||
|
</div>
|
|||
|
<ol><li class="stepexpand"><span>Verify that the directory server on the remote system is active. </span></li>
|
|||
|
<li class="stepexpand"><span>In iSeries Navigator,
|
|||
|
select the system for which you want to configure EIM and expand <span class="uicontrol">Network
|
|||
|
> Enterprise Identity Mapping</span>.</span></li>
|
|||
|
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure...</span> to
|
|||
|
start the EIM Configuration wizard. </span> <div class="note"><span class="notetitle">Note:</span> This option is labeled <span class="uicontrol">Reconfigure...</span> if
|
|||
|
EIM has been previously configured on the system.</div>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page of the wizard, select <span class="uicontrol">Create
|
|||
|
and join a new domain</span>, and click <span class="uicontrol">Next</span>.</span></li>
|
|||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM Domain Location</span> page,
|
|||
|
select <span class="uicontrol">On the local Directory server</span> and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> This option configures the local directory server to act as the
|
|||
|
EIM domain controller. Because this directory server stores all EIM data for
|
|||
|
the domain, it must be active and remain active to support EIM mapping lookups
|
|||
|
and other operations.</div>
|
|||
|
<p>If network authentication service is not currently
|
|||
|
configured on the iSeries server, or additional network authentication
|
|||
|
configuration information is needed to configure a single signon environment,
|
|||
|
the <span class="uicontrol">Network Authentication Services Configuration</span> page
|
|||
|
displays. This page allows you start the Network Authentication Service Configuration
|
|||
|
wizard so that you can <a href="../rzakh/rzakhconfig.htm">configure network authentication service</a>. Or, you can
|
|||
|
configure Network Authentication Service at a later time by using the configuration
|
|||
|
wizard for this service through iSeries Navigator. When you complete
|
|||
|
network authentication service configuration, the EIM Configuration wizard
|
|||
|
continues.</p>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>To configure network authentication service, complete these steps:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
|
|||
|
select <span class="uicontrol">Yes</span> to start the Network Authentication Service
|
|||
|
Configuration wizard. With this wizard, you can configure several i5/OS interfaces
|
|||
|
and services to participate in a Kerberos realm as well as configure a single
|
|||
|
signon environment that uses both EIM and network authentication service.</span></li>
|
|||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Realm Information</span> page,
|
|||
|
specify the name of the default realm in the <span class="uicontrol">Default realm</span> field.
|
|||
|
If you are using Microsoft<sup>®</sup> Active Directory for Kerberos authentication,
|
|||
|
select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>,
|
|||
|
and click <span class="uicontrol">Next</span>.</span></li>
|
|||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
|
|||
|
specify the fully qualified name of the Kerberos server for this realm in
|
|||
|
the <span class="uicontrol">KDC</span> field, specify <tt>88</tt> in the <span class="uicontrol">Port</span> field,
|
|||
|
and click <span class="uicontrol">Next</span>.</span></li>
|
|||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
|
|||
|
select either <span class="uicontrol">Yes</span> or <span class="uicontrol">No</span> for
|
|||
|
setting up a password server. The password server allows principals to change
|
|||
|
passwords on the Kerberos server. If you select <span class="uicontrol">Yes</span>,
|
|||
|
enter the password server name in the <span class="uicontrol">Password server</span> field.
|
|||
|
In the <span class="uicontrol">Port</span> field, accept the default value of <samp class="codeph">464</samp>,
|
|||
|
and click Next.</span></li>
|
|||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
|
|||
|
Kerberos Authentication</span>, and cllick <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> In addition you can also create keytab entries for the IBM Directory
|
|||
|
Server for iSeries (LDAP), iSeries NetServer™,
|
|||
|
and iSeries HTTP
|
|||
|
server if you want these services to use Kerberos authentication. You may
|
|||
|
need to perform additional configuration for these services before they can
|
|||
|
use Kerberos authentication.</div>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Create i5/OS Keytab Entry</span> page,
|
|||
|
enter and confirm a password, and click <span class="uicontrol">Next</span>. This
|
|||
|
is the same password you will use when you add the i5/OS principals to the Kerberos server.</span></li>
|
|||
|
<li class="substepexpand"><strong>Optional: </strong><span>On the <span class="uicontrol">Create Batch File</span> page,
|
|||
|
select <span class="uicontrol">Yes</span>, specify the following information, and
|
|||
|
click <span class="uicontrol">Next</span>:</span> <ul><li>In the <span class="uicontrol">Batch file</span> field, update the directory path.
|
|||
|
Click <span class="uicontrol">Browse</span> to locate the appropriate directory path,
|
|||
|
or edit the path in the <span class="uicontrol">Batch file</span> field.</li>
|
|||
|
<li>In the <span class="uicontrol">Include password</span> field, select <span class="uicontrol">Yes</span>.
|
|||
|
This ensures that all passwords associated with the i5/OS service principal are included in
|
|||
|
the batch file. It is important to note that passwords are displayed in clear
|
|||
|
text and can be read by anyone with read access to the batch file. Therefore,
|
|||
|
it is essential that you delete the batch file from the Kerberos server and
|
|||
|
from the PC immediately after you use it. If you do not include the password,
|
|||
|
you will be prompted for the password when you run the batch file.<div class="note"><span class="notetitle">Note:</span> You
|
|||
|
can also manually add the service principals that are generated by the wizard
|
|||
|
to Microsoft Active
|
|||
|
Directory. To learn how to do this, see <a href="../rzakh/rzakhdefineiseries.htm">Add i5/OS principals to the Kerberos server</a></div>
|
|||
|
</li>
|
|||
|
<li>On the <span class="uicontrol">Summary</span> page, review the network authentication
|
|||
|
service configuration details, and click <span class="uicontrol">Finish</span> to
|
|||
|
return to the EIM Configuration wizard.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>Use the <span class="uicontrol">Specify EIM Domain Controller</span> page
|
|||
|
to specify connection information as follows for the remote EIM domain controller
|
|||
|
that you want to configure: </span><ol type="a"><li class="substepexpand"><span>In the <span class="uicontrol">Domain controller name</span> field,
|
|||
|
specify the name of the remote directory server that you want to configure
|
|||
|
as the EIM domain controller for the domain that you are creating. The EIM
|
|||
|
domain controller name can be the directory server TCP/IP host and domain
|
|||
|
name or the directory server address.</span></li>
|
|||
|
<li class="substepexpand"><span>Specify connection information for the connection to the domain
|
|||
|
controller as follows: </span> <ul><li>Select the <span class="uicontrol">Use secure connection (SSL or TLS)</span> to
|
|||
|
use a secure connection to the EIM domain controller. When this is selected,
|
|||
|
the connection uses either Secure Sockets Layer (SSL) or Transport Layer
|
|||
|
Security (TLS) to establish a secure connection to protect EIM data transmission
|
|||
|
over an untrusted network, such as the Internet. <div class="note"><span class="notetitle">Note:</span> You must verify whether
|
|||
|
the EIM domain controller is configured to use a secure connection. Otherwise,
|
|||
|
the connection to the domain controller may fail.</div>
|
|||
|
</li>
|
|||
|
<li>In the <span class="uicontrol">Port</span> field, specify the TCP/IP port on which
|
|||
|
the directory server listens. If <span class="uicontrol">Use secure connection</span> is
|
|||
|
selected, the default port is <samp class="codeph">636</samp>; otherwise, the default
|
|||
|
port is <samp class="codeph">389</samp>.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Verify Connection</span> to test that
|
|||
|
the wizard can use the specified information to successfully establish a connection
|
|||
|
to the remote EIM domain controller.</span></li>
|
|||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Next</span>.</span></li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify User For Connection</span> page,
|
|||
|
select a <span class="uicontrol">User type</span> for the connection. </span> You
|
|||
|
can select one of the following types of users: <span class="uicontrol">Distinguished name
|
|||
|
and password</span>, <span class="uicontrol">Kerberos keytab file and principal</span>, <span class="uicontrol">Kerberos
|
|||
|
principal and password</span>, or <span class="uicontrol">User profile and password</span>.
|
|||
|
The two Kerberos user types are available only if network authentication service
|
|||
|
is configured for the local iSeries system.The user type that you select determines
|
|||
|
the other information that you must provide to complete the dialog as follows: <div class="note"><span class="notetitle">Note:</span> To
|
|||
|
ensure that the wizard has enough authority to create the necessary EIM objects
|
|||
|
in the directory, select <span class="uicontrol">Distinguished name and password</span> as
|
|||
|
the user type and specify the LDAP administrator DN and password as the user.<p>You
|
|||
|
can specify a different user for the connection; however, the user you specify
|
|||
|
must have the equivalent of LDAP administrator authority for the remote directory
|
|||
|
server.</p>
|
|||
|
</div>
|
|||
|
<ol type="a"><li class="substepexpand"><span>If you select <span class="uicontrol">Distinguished name and password</span>,
|
|||
|
provide the following information:</span> <ul><li>In the <span class="uicontrol">Distinguished name</span> field, specify the LDAP
|
|||
|
administrator’s distinguished name (DN) and password to ensure the wizard
|
|||
|
has enough authority to administer the EIM domain and the objects in it.</li>
|
|||
|
<li>In the <span class="uicontrol">Password</span> field, specify the password for
|
|||
|
the distinguished name.</li>
|
|||
|
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
|
|||
|
a second time for validation purposes.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos keytab file and principal</span>,
|
|||
|
provide the following information:</span> <ul><li>In the <span class="uicontrol">Keytab file</span> field, specify the fully qualified
|
|||
|
path and keytab file name that contains the Kerberos principal for the wizard
|
|||
|
to use when connecting to the EIM domain. Or, click <span class="uicontrol">Browse...</span> to
|
|||
|
browse through directories in the iSeries integrated file system to select
|
|||
|
a keytab file. </li>
|
|||
|
<li>In the <span class="uicontrol">Principal</span> field, specify the name of the
|
|||
|
Kerberos principal to be used to identify the user.</li>
|
|||
|
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
|
|||
|
Kerberos realm name for which the principal is a member. The name of the principal
|
|||
|
and realm uniquely identify the Kerberos users in the keytab file. For example,
|
|||
|
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp>,
|
|||
|
is represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos principal and
|
|||
|
password</span>, provide the following information:</span> <ul><li>In the <span class="uicontrol">Principal</span> field, specify the name of the
|
|||
|
Kerberos principal for the wizard to use when connecting to the EIM domain. </li>
|
|||
|
<li>In the <strong>Realm</strong> field, specify the fully qualified Kerberos realm
|
|||
|
name for which the principal is a member. The name of the principal and realm
|
|||
|
uniquely identify the Kerberos users in the keytab file. For example, the
|
|||
|
principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
|
|||
|
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
|
|||
|
<li>In the <strong>Password</strong> field, specify the password for the Kerberos principal.</li>
|
|||
|
<li>In the <strong>Confirm password</strong> field, specify the password a second time
|
|||
|
for validation purposes. </li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>If you select <span class="uicontrol">User profile and password</span>,
|
|||
|
provide the following information: </span> <ul><li>In the <span class="uicontrol">User profile</span> field, specify the user profile
|
|||
|
name for the wizard to use when connecting to the EIM domain. </li>
|
|||
|
<li>In the <span class="uicontrol">Password</span> field, specify the password for
|
|||
|
the user profile.</li>
|
|||
|
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
|
|||
|
a second time for validation purposes.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Verify Connection</span> to test that
|
|||
|
the wizard can use the specified user information to successfully establish
|
|||
|
a connection to the EIM domain controller.</span></li>
|
|||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Next</span>.</span></li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain </span> page, provide the
|
|||
|
following information: </span><ol type="a"><li><span>In the <span class="uicontrol">Domain</span> field, specify the name
|
|||
|
of the EIM domain that you want to create. Accept the default name of <samp class="codeph">EIM</samp>,
|
|||
|
or use any string of characters that makes sense to you. However, you cannot
|
|||
|
use special characters such as <strong>= + < > , # ; \ </strong> and <strong>*</strong>.</span></li>
|
|||
|
<li><span>In the <span class="uicontrol">Description</span> field, enter text
|
|||
|
to describe the domain.</span></li>
|
|||
|
<li><span>Click <strong>Next</strong>.</span></li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>On the <strong>Specify Parent DN for Domain</strong> dialog, select <span class="uicontrol">Yes</span> to
|
|||
|
specify the parent DN the wizard should use for the location of the EIM domain
|
|||
|
that you are creating. </span> This is the DN that represents the entry
|
|||
|
immediately above your domain name entry in the directory information tree
|
|||
|
hierarchy. Or specify <span class="uicontrol">No</span> to have EIM data stored in
|
|||
|
a directory location with a suffix whose name is derived from the EIM domain
|
|||
|
name.<div class="note"><span class="notetitle">Note:</span> When you use the wizard to configure a domain on a remote
|
|||
|
domain controller you should specify an appropriate parent DN for the domain.
|
|||
|
Because all necessary configuration objects for the parent DN must already
|
|||
|
exist or the EIM configuration may fail, you should browse for the appropriate
|
|||
|
parent DN rather than manually enter the DN information. Click <span class="uicontrol">Help</span> for
|
|||
|
further information about using a parent DN.</div>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, specify
|
|||
|
whether to add local user registries to the EIM domain as registry definitions.
|
|||
|
Select one or both of these user registry types:</span> <div class="note"><span class="notetitle">Note:</span> You do not
|
|||
|
have to create the registry definitions at this time. If you choose to create
|
|||
|
the registry definitions later, you need to <a href="rzalvadminaddusrreg.htm#rzalvadminaddusrreg">add the system registry definitions</a> and <a href="rzalvmanageconfigprops.htm#manage_config_props">update the EIM configuration properties</a>.</div>
|
|||
|
<ol type="a"><li><span>Select <span class="uicontrol">Local i5/OS</span> to add a registry
|
|||
|
definition for the local registry. In the field provide, accept the default
|
|||
|
value for the registry definition name or specify a different value for the
|
|||
|
registry definition name. The EIM registry name is an arbitrary string that
|
|||
|
represents the registry type and specific instance of that registry. </span></li>
|
|||
|
<li><span>Select <span class="uicontrol">Kerberos</span> to add a registry definition
|
|||
|
for a Kerberos registry. In the field provided, accept the default value for
|
|||
|
the registry definition name or specify a different value for the registry
|
|||
|
definition name. The default registry definition name is the same as the realm
|
|||
|
name. By accepting the default name and using the same Kerberos registry name
|
|||
|
as the realm name, you can increase performance in retrieving information
|
|||
|
from the registry. Select <span class="uicontrol">Kerberos user identities are case sensitive</span>,
|
|||
|
if necessary.</span></li>
|
|||
|
<li><span>Click <span class="uicontrol">Next</span>.</span></li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
|
|||
|
a <span class="uicontrol">User type</span> that you want the system to use when performing
|
|||
|
EIM operations on behalf of operating system functions. </span> These
|
|||
|
operations include mapping lookup operations and deletion of associations
|
|||
|
when deleting a local i5/OS user profile. You can select one of the following
|
|||
|
types of users: <span class="uicontrol">Distinguished name and password</span>, <span class="uicontrol">Kerberos
|
|||
|
keytab file and principal</span>, or <span class="uicontrol">Kerberos principal and
|
|||
|
password</span>. Which user types you can select vary based on the current
|
|||
|
system configuration. For example, if Network Authentication Service is not
|
|||
|
configured for the system, then Kerberos user types may not be available for
|
|||
|
selection. The user type that you select determines the other information
|
|||
|
that you must provide to complete the page as follows: <div class="note"><span class="notetitle">Note:</span> You must specify
|
|||
|
a user that is currently defined in the directory server which is hosting
|
|||
|
the EIM domain controller. The user that you specify must have privileges
|
|||
|
to perform mapping lookup and registry administration for the local user registry
|
|||
|
at a minimum. If the user that you specify does not have these privileges,
|
|||
|
then certain operating system functions related to the use of single signon
|
|||
|
and the deletion of user profiles may fail.<p>If you have not configured the
|
|||
|
directory server prior to running this wizard, the only user type you can
|
|||
|
select is <span class="uicontrol">Distinguished name and password</span> and the only
|
|||
|
distinguished name you can specify is the LDAP administrator's DN.</p>
|
|||
|
</div>
|
|||
|
<ol type="a"><li class="substepexpand"><span>If you select <span class="uicontrol">Distinguished name and password</span>,
|
|||
|
provide the following information:</span> <ul><li>In the <span class="uicontrol">Distinguished name</span> field, specify the LDAP
|
|||
|
distinguished name that identifies the user for the system to use when performing
|
|||
|
EIM operations.</li>
|
|||
|
<li>In the <span class="uicontrol">Password</span> field, specify the password for
|
|||
|
the distinguished name.</li>
|
|||
|
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
|
|||
|
a second time for verification purposes.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos principal and password</span>,
|
|||
|
provide the following information: </span> <ul><li>In the <span class="uicontrol">Principal</span> field, specify the Kerberos principal
|
|||
|
name for the system to use when performing EIM operations</li>
|
|||
|
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
|
|||
|
Kerberos realm name for which the principal is a member. The name of the principal
|
|||
|
and realm uniquely identify the Kerberos users in the keytab file. For example,
|
|||
|
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
|
|||
|
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
|
|||
|
<li>In the <span class="uicontrol">Password</span> field, enter the password for the
|
|||
|
user.</li>
|
|||
|
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
|
|||
|
a second time for verification purposes. </li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos keytab file and principal</span>,
|
|||
|
provide the following information:</span> <ul><li>In the <span class="uicontrol">Keytab file</span> field, specify the fully qualified
|
|||
|
path and keytab file name that contains the Kerberos principal for the system
|
|||
|
to use when performing EIM operations. Or, click <span class="uicontrol">Browse...</span> to
|
|||
|
browse through directories in the iSeries integrated file system to select
|
|||
|
a keytab file.</li>
|
|||
|
<li>In the <span class="uicontrol">Principal</span> field, specify the Kerberos principal
|
|||
|
name for the system to use when performing EIM operations.</li>
|
|||
|
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
|
|||
|
Kerberos realm name for which the principal is a member. The name of the principal
|
|||
|
and realm uniquely identify the Kerberos users in the keytab file. For example,
|
|||
|
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
|
|||
|
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Verify Connection</span> to ensure that
|
|||
|
the wizard can use the specified user information to successfully establish
|
|||
|
a connection to the EIM domain controller.</span></li>
|
|||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Next</span>.</span></li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>In the <span class="uicontrol">Summary</span> panel, review the configuration
|
|||
|
information that you have provided. If all information is correct, click <span class="uicontrol">Finish</span>.</span></li>
|
|||
|
</ol>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalvcnfg.htm" title="Use this information to learn how to use the Enterprise Identity Mapping (EIM) Configuration wizard to configure EIM for your iSeries servers.">Configure Enterprise Identity Mapping</a></div>
|
|||
|
</div>
|
|||
|
</div><div class="nested1" xml:lang="en-us" id="finalizeyoureimconfigurationforthedomain2"><a name="finalizeyoureimconfigurationforthedomain2"><!-- --></a><h2 class="topictitle2">Finalize your EIM configuration for the domain</h2>
|
|||
|
<div><div class="section">When the wizard finishes, it adds the new domain to the <span class="uicontrol">Domain
|
|||
|
Management</span> folder and you have created a basic EIM configuration
|
|||
|
for this server. However, you must complete these tasks to finalize your EIM
|
|||
|
configuration for the domain:</div>
|
|||
|
<ol><li class="stepexpand"><span>Use the EIM Configuration wizard on each additional server that
|
|||
|
you want to have <a href="rzalvcnfgconfigwizard.htm#rzalvcnfgconfigwizard">join
|
|||
|
the new domain</a>.</span></li>
|
|||
|
<li class="stepexpand"><span>Add EIM registry definitions to the EIM domain, if necessary, for
|
|||
|
other non-iSeries servers and applications that you want to participate in
|
|||
|
the EIM domain. These registry definitions refer to the actual user registries
|
|||
|
that must participate in the domain</span> You can either <a href="rzalvadminaddusrreg.htm#rzalvadminaddusrreg">Add
|
|||
|
system registry definitions</a> or <a href="rzalvadminaddappreg.htm#rzalvadminaddappreg">Add
|
|||
|
application registry definitions</a> depending on your EIM implementation
|
|||
|
needs.</li>
|
|||
|
<li class="stepexpand"><span>Based on your EIM implementation needs, determine whether to: </span><ol type="a"><li><span><a href="rzalvadminidentcreate.htm#rzalvadminidentcreate">Create
|
|||
|
EIM identifiers</a> for each unique user or entity in the domain and <a href="rzalvcrtidentifierassoc.htm#create_id_assoc">create identifier associations</a> for
|
|||
|
them.</span></li>
|
|||
|
<li><span><a href="rzalvcrtpolassoc.htm#create_pol_assoc">Create policy
|
|||
|
associations</a> to map a group of users to a single target user identity.</span></li>
|
|||
|
<li><span>Create a combination of these.</span></li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>Use the EIM <a href="rzalvtestmappings.htm#testmapping">test
|
|||
|
a mapping</a> function to test the identity mappings for your EIM configuration. </span></li>
|
|||
|
<li class="stepexpand"><span>If the only EIM user you have defined is the DN for the LDAP administrator,
|
|||
|
then your EIM user has a high level of authority to all data on the directory
|
|||
|
server. </span> Therefore, you might consider creating one or more DNs
|
|||
|
as additional users that have more appropriate and limited <a href="../rzalv/rzalveservereimauths.htm">access control</a> for
|
|||
|
EIM data. To learn more about creating DNs for the directory server, see <a href="../rzahy/rzahyunderdn.htm">Distinguished
|
|||
|
names</a> in the IBM Directory Server for iSeries (LDAP) topic. The number of additional
|
|||
|
EIM users that you define depends on your security policy's emphasis on the
|
|||
|
separation of security duties and responsibilities. Typically, you might create
|
|||
|
at least the two following types of DNs:<ul><li><strong>A user that has EIM administrator access control</strong><p>This EIM administrator
|
|||
|
DN provides the appropriate level of authority for an administrator who is
|
|||
|
responsible for managing the EIM domain. This EIM administrator DN could
|
|||
|
be used to connect to the domain controller when managing all aspects of the
|
|||
|
EIM domain by means of iSeries Navigator.</p>
|
|||
|
</li>
|
|||
|
<li><strong>At least one user that has all of the following access controls</strong>:<ul><li>Identifier administrator</li>
|
|||
|
<li>Registry administrator</li>
|
|||
|
<li>EIM mapping operations</li>
|
|||
|
</ul>
|
|||
|
This user provides the appropriate level of access control required for
|
|||
|
the system user that performs EIM operations on behalf of the operating system.</li>
|
|||
|
</ul>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> To use this new DN for the system user instead of the LDAP administrator
|
|||
|
DN, you must change the EIM configuration properties for the iSeries server.
|
|||
|
See <a href="../rzalv/rzalvmanageconfigprops.htm">Manage
|
|||
|
EIM configuration properties</a> to learn how to change the system user
|
|||
|
DN.</div>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
<div class="section"><p>You might need to perform additional tasks if you created a basic
|
|||
|
network authentication service configuration, especially if you are implementing
|
|||
|
a single signon environment. You can find information about these additional
|
|||
|
steps by reviewing the complete configuration steps demonstrated by the scenario, <a href="../rzamz/rzamzenablessoos400.htm">Enable
|
|||
|
single signon for i5/OS</a>.</p>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
</body>
|
|||
|
</html>
|